A Too it for Ri - E y o Vadim Lyubashevsky 1 Chris Peikert 2 Oded - - PowerPoint PPT Presentation

A Tooλκit for Riνγ-ΛΩE κρyπτoγραφ Vadim Lyubashevsky1 Chris Peikert2 Oded Regev3

1INRIA & ENS Paris 2Georgia Tech 3Courant Institute, NYU

Eurocrypt 2013 27 May

1 / 12

A Toolkit for Ring-LWE Cryptography Vadim Lyubashevsky1 Chris Peikert2 Oded Regev3

1INRIA & ENS Paris 2Georgia Tech 3Courant Institute, NYU

Eurocrypt 2013 27 May

1 / 12

Lattice- and Ring-Based Cryptography

◮ Offers worst-case hardness [Ajtai’96,. . . ], asymptotic efficiency & parallelism, and (apparent) quantum resistance.

2 / 12

Lattice- and Ring-Based Cryptography

◮ Offers worst-case hardness [Ajtai’96,. . . ], asymptotic efficiency & parallelism, and (apparent) quantum resistance. ◮ Many exciting developments in recent years:

⋆ Encryption

[R’05,PW’08,PVW’08,ACPS’09,. . . ]

⋆ Signatures

[LM’08,GPV’08,L’09,CHKP’10,B’10,GKV’10,BF’11ab,L’12,. . . ]

⋆ (H)IBE & FE

[GPV’08,CHKP’10,ABB’10,AFV’11,. . . ]

⋆ FHE

[G’09,vDGHV’10,SV’11,BV’11ab,BGV’12,B’12,. . . ]

⋆ Multi-linear maps

[GGH’13,CLT’13,. . . ]

2 / 12

Lattice- and Ring-Based Cryptography

◮ Offers worst-case hardness [Ajtai’96,. . . ], asymptotic efficiency & parallelism, and (apparent) quantum resistance. ◮ Many exciting developments in recent years:

⋆ Encryption

[R’05,PW’08,PVW’08,ACPS’09,. . . ]

⋆ Signatures

[LM’08,GPV’08,L’09,CHKP’10,B’10,GKV’10,BF’11ab,L’12,. . . ]

⋆ (H)IBE & FE

[GPV’08,CHKP’10,ABB’10,AFV’11,. . . ]

⋆ FHE

[G’09,vDGHV’10,SV’11,BV’11ab,BGV’12,B’12,. . . ]

⋆ Multi-linear maps

[GGH’13,CLT’13,. . . ]

◮ Most modern schemes are based on the SIS/LWE problems [A’96,R’05] and/or their ring variants [M’02,PR’06,LM’06,LPR’10].

2 / 12

Lattice- and Ring-Based Cryptography

◮ Offers worst-case hardness [Ajtai’96,. . . ], asymptotic efficiency & parallelism, and (apparent) quantum resistance. ◮ Many exciting developments in recent years:

⋆ Encryption

[R’05,PW’08,PVW’08,ACPS’09,. . . ]

⋆ Signatures

[LM’08,GPV’08,L’09,CHKP’10,B’10,GKV’10,BF’11ab,L’12,. . . ]

⋆ (H)IBE & FE

[GPV’08,CHKP’10,ABB’10,AFV’11,. . . ]

⋆ FHE

[G’09,vDGHV’10,SV’11,BV’11ab,BGV’12,B’12,. . . ]

⋆ Multi-linear maps

[GGH’13,CLT’13,. . . ]

◮ Most modern schemes are based on the SIS/LWE problems [A’96,R’05] and/or their ring variants [M’02,PR’06,LM’06,LPR’10].

✗ SIS/LWE aren’t quite practical: Ω(n2) key sizes and runtimes ✔ Ring-based primitives are! ˜ O(n) complexity

2 / 12

LWE Over Rings, Over-Simplified [LPR’10]

Ring R := Z[X]/(1 + Xn) for some n = 2k, Rq := R/qR.

3 / 12

LWE Over Rings, Over-Simplified [LPR’10]

Ring R := Z[X]/(1 + Xn) for some n = 2k, Rq := R/qR. ◮ For s ← Rq, pairs {(ai , bi)}

c

≈ uniform {(ai , bi)}: a1 ← Rq , b1 = a1 · s + e1 ∈ Rq a2 ← Rq , b2 = a2 · s + e2 ∈ Rq . . .

3 / 12

LWE Over Rings, Over-Simplified [LPR’10]

Ring R := Z[X]/(1 + Xn) for some n = 2k, Rq := R/qR. ◮ For s ← Rq, pairs {(ai , bi)}

c

≈ uniform {(ai , bi)}: a1 ← Rq , b1 = a1 · s + e1 ∈ Rq a2 ← Rq , b2 = a2 · s + e2 ∈ Rq . . . ◮ Error (“noise”) terms e(X) ∈ R are “short.” What could this mean?

3 / 12

LWE Over Rings, Over-Simplified [LPR’10]

Ring R := Z[X]/(1 + Xn) for some n = 2k, Rq := R/qR. ◮ For s ← Rq, pairs {(ai , bi)}

c

≈ uniform {(ai , bi)}: a1 ← Rq , b1 = a1 · s + e1 ∈ Rq a2 ← Rq , b2 = a2 · s + e2 ∈ Rq . . . ◮ Error (“noise”) terms e(X) ∈ R are “short.” What could this mean? e(X) =

n−1

• j=0

ejXj ← → (e0, e1, . . . , en−1) ∈ Zn.

3 / 12

LWE Over Rings, Over-Simplified [LPR’10]

Ring R := Z[X]/(1 + Xn) for some n = 2k, Rq := R/qR. ◮ For s ← Rq, pairs {(ai , bi)}

c

≈ uniform {(ai , bi)}: a1 ← Rq , b1 = a1 · s + e1 ∈ Rq a2 ← Rq , b2 = a2 · s + e2 ∈ Rq . . . ◮ Error (“noise”) terms e(X) ∈ R are “short.” What could this mean? e(X) =

n−1

• j=0

ejXj ← → (e0, e1, . . . , en−1) ∈ Zn. ◮ Applications need (+, ·)-combinations of errors to remain short, so we can “decode” them modulo q. Significantly affects security.

3 / 12

LWE Over Rings, Over-Simplified [LPR’10]

Ring R := Z[X]/(1 + Xn) for some n = 2k, Rq := R/qR. ◮ For s ← Rq, pairs {(ai , bi)}

c

≈ uniform {(ai , bi)}: a1 ← Rq , b1 = a1 · s + e1 ∈ Rq a2 ← Rq , b2 = a2 · s + e2 ∈ Rq . . . ◮ Error (“noise”) terms e(X) ∈ R are “short.” What could this mean? e(X) =

n−1

• j=0

ejXj ← → (e0, e1, . . . , en−1) ∈ Zn. ◮ Applications need (+, ·)-combinations of errors to remain short, so we can “decode” them modulo q. Significantly affects security. e + e′ ≤ e + e′ e · e′ ≤ √n · e · e′.

3 / 12

LWE Over Rings, Over-Simplified [LPR’10]

Ring R := Z[X]/(1 + Xn) for some n = 2k, Rq := R/qR. ◮ For s ← Rq, pairs {(ai , bi)}

c

≈ uniform {(ai , bi)}: a1 ← Rq , b1 = a1 · s + e1 ∈ Rq a2 ← Rq , b2 = a2 · s + e2 ∈ Rq . . . ◮ Error (“noise”) terms e(X) ∈ R are “short.” What could this mean? e(X) =

n−1

• j=0

ejXj ← → (e0, e1, . . . , en−1) ∈ Zn. ◮ Applications need (+, ·)-combinations of errors to remain short, so we can “decode” them modulo q. Significantly affects security. e + e′ ≤ e + e′ e · e′ ≤ √n · e · e′. (“Expansion factor” √n is worst-case, often quite loose.)

3 / 12

More Rings, Please!

◮ Rings Z[X]/(1 + X2k) don’t meet all our needs.

4 / 12

More Rings, Please!

◮ Rings Z[X]/(1 + X2k) don’t meet all our needs.

✗ They are rare — might make keys unnecessarily large in practice.

4 / 12

More Rings, Please!

◮ Rings Z[X]/(1 + X2k) don’t meet all our needs.

✗ They are rare — might make keys unnecessarily large in practice. ✗✗ Many schemes cannot use them at all! E.g., SIMD homom. encryption [SV’11] and applications [GHS’12abc]

4 / 12

More Rings, Please!

◮ Rings Z[X]/(1 + X2k) don’t meet all our needs.

✗ They are rare — might make keys unnecessarily large in practice. ✗✗ Many schemes cannot use them at all! E.g., SIMD homom. encryption [SV’11] and applications [GHS’12abc]

◮ The mth cyclotomic ring: R = Z[X]/Φm(X) where Φm(X) =

• i∈Z∗

m

(X − ωi

m) ∈ Z[X],

ωm = e2π√−1/m ∈ C. Note: Φm(X) divides (Xm − 1), has degree n = ϕ(m) = deg(Φm). “Power” Z-basis of R is {1, X, X2, . . . , Xn−1}.

4 / 12

More Rings, Please!

◮ Rings Z[X]/(1 + X2k) don’t meet all our needs.

✗ They are rare — might make keys unnecessarily large in practice. ✗✗ Many schemes cannot use them at all! E.g., SIMD homom. encryption [SV’11] and applications [GHS’12abc]

◮ The mth cyclotomic ring: R = Z[X]/Φm(X) where Φm(X) =

• i∈Z∗

m

(X − ωi

m) ∈ Z[X],

ωm = e2π√−1/m ∈ C. Note: Φm(X) divides (Xm − 1), has degree n = ϕ(m) = deg(Φm). “Power” Z-basis of R is {1, X, X2, . . . , Xn−1}. ◮ Examples: Φ2k+1(X) = 1 + X2k, Φ9(X) = 1 + X3 + X6.

4 / 12

More Rings, Please!

◮ Rings Z[X]/(1 + X2k) don’t meet all our needs.

✗ They are rare — might make keys unnecessarily large in practice. ✗✗ Many schemes cannot use them at all! E.g., SIMD homom. encryption [SV’11] and applications [GHS’12abc]

◮ The mth cyclotomic ring: R = Z[X]/Φm(X) where Φm(X) =

• i∈Z∗

m

(X − ωi

m) ∈ Z[X],

ωm = e2π√−1/m ∈ C. Note: Φm(X) divides (Xm − 1), has degree n = ϕ(m) = deg(Φm). “Power” Z-basis of R is {1, X, X2, . . . , Xn−1}. ◮ Examples: Φ2k+1(X) = 1 + X2k, Φ9(X) = 1 + X3 + X6. ✔ Ring-LWE (appropriately defined) is hard in any cyclotomic [LPR’10]

. . . assuming problems on ideal lattices are quantum-hard in the worst case.

4 / 12

The Form of Cyclotomic Polynomials

◮ For prime p, Φp(X) = 1 + X + X2 + · · · + Xp−1 and Φpe(X) = Φp(Xpe−1).

5 / 12

The Form of Cyclotomic Polynomials

◮ For prime p, Φp(X) = 1 + X + X2 + · · · + Xp−1 and Φpe(X) = Φp(Xpe−1). Mod-Φpe(X) reduction is efficient; small(ish) expansion factor.

5 / 12

The Form of Cyclotomic Polynomials

◮ For prime p, Φp(X) = 1 + X + X2 + · · · + Xp−1 and Φpe(X) = Φp(Xpe−1). Mod-Φpe(X) reduction is efficient; small(ish) expansion factor. But still not enough: e.g., SIMD FHE likes m = 3 · 7 · 19 · 73.

5 / 12

The Form of Cyclotomic Polynomials

◮ For prime p, Φp(X) = 1 + X + X2 + · · · + Xp−1 and Φpe(X) = Φp(Xpe−1). Mod-Φpe(X) reduction is efficient; small(ish) expansion factor. But still not enough: e.g., SIMD FHE likes m = 3 · 7 · 19 · 73. ◮ What about non-prime power m?

5 / 12

The Form of Cyclotomic Polynomials

◮ For prime p, Φp(X) = 1 + X + X2 + · · · + Xp−1 and Φpe(X) = Φp(Xpe−1). Mod-Φpe(X) reduction is efficient; small(ish) expansion factor. But still not enough: e.g., SIMD FHE likes m = 3 · 7 · 19 · 73. ◮ What about non-prime power m?

✗ Φ21(X) = 1 − X + X3 − X4 + X6 − X8 + X9 − X11 + X12

5 / 12

The Form of Cyclotomic Polynomials

◮ For prime p, Φp(X) = 1 + X + X2 + · · · + Xp−1 and Φpe(X) = Φp(Xpe−1). Mod-Φpe(X) reduction is efficient; small(ish) expansion factor. But still not enough: e.g., SIMD FHE likes m = 3 · 7 · 19 · 73. ◮ What about non-prime power m?

✗ Φ21(X) = 1 − X + X3 − X4 + X6 − X8 + X9 − X11 + X12 ✗✗ Φ105(X): degree 48; 33 monomials with {−2, −1, 1}-coefficients

5 / 12

The Form of Cyclotomic Polynomials

◮ For prime p, Φp(X) = 1 + X + X2 + · · · + Xp−1 and Φpe(X) = Φp(Xpe−1). Mod-Φpe(X) reduction is efficient; small(ish) expansion factor. But still not enough: e.g., SIMD FHE likes m = 3 · 7 · 19 · 73. ◮ What about non-prime power m?

✗ Φ21(X) = 1 − X + X3 − X4 + X6 − X8 + X9 − X11 + X12 ✗✗ Φ105(X): degree 48; 33 monomials with {−2, −1, 1}-coefficients ✗✗✗ Φ3·7·19·73(X): highly irregular; large coeffs

5 / 12

The Form of Cyclotomic Polynomials

◮ For prime p, Φp(X) = 1 + X + X2 + · · · + Xp−1 and Φpe(X) = Φp(Xpe−1). Mod-Φpe(X) reduction is efficient; small(ish) expansion factor. But still not enough: e.g., SIMD FHE likes m = 3 · 7 · 19 · 73. ◮ What about non-prime power m?

✗ Φ21(X) = 1 − X + X3 − X4 + X6 − X8 + X9 − X11 + X12 ✗✗ Φ105(X): degree 48; 33 monomials with {−2, −1, 1}-coefficients ✗✗✗ Φ3·7·19·73(X): highly irregular; large coeffs

Yuck!!!

✗ Irregular Φm(X) induces cumbersome, slower operations modulo Φm(X) ✗ Large expansion factors — up to super-polynomial nω(1) [Erd˝

• s’46]

✗ Provable & concrete security also degrade with expansion factor: pay twice!

5 / 12

Our Contributions

A toolkit of simple, fast algorithms and tight error analyses for working with ring-LWE in arbitrary cyclotomics

6 / 12

Our Contributions

A toolkit of simple, fast algorithms and tight error analyses for working with ring-LWE in arbitrary cyclotomics Fast Algorithms: ring operations (+, ·); noise generation & decoding; conversions among the best representations for each task. = ⇒ Runtimes: O(n) per prime divisor of m, or O(n log n).

6 / 12

Our Contributions

A toolkit of simple, fast algorithms and tight error analyses for working with ring-LWE in arbitrary cyclotomics Fast Algorithms: ring operations (+, ·); noise generation & decoding; conversions among the best representations for each task. = ⇒ Runtimes: O(n) per prime divisor of m, or O(n log n). Tight Analysis: same noise growth and worst-case hardness in all cyclotomics; optimal noise tolerance in decoding. = ⇒ No dependence on the form of m.

6 / 12

Our Contributions

A toolkit of simple, fast algorithms and tight error analyses for working with ring-LWE in arbitrary cyclotomics Fast Algorithms: ring operations (+, ·); noise generation & decoding; conversions among the best representations for each task. = ⇒ Runtimes: O(n) per prime divisor of m, or O(n log n). Tight Analysis: same noise growth and worst-case hardness in all cyclotomics; optimal noise tolerance in decoding. = ⇒ No dependence on the form of m.

Key Ideas

1 In algorithms, use tensorial representations of ring elements.

✔ No reduction modulo Φm(X) — in fact, don’t need Φm(X) at all!

6 / 12

Our Contributions

A toolkit of simple, fast algorithms and tight error analyses for working with ring-LWE in arbitrary cyclotomics Fast Algorithms: ring operations (+, ·); noise generation & decoding; conversions among the best representations for each task. = ⇒ Runtimes: O(n) per prime divisor of m, or O(n log n). Tight Analysis: same noise growth and worst-case hardness in all cyclotomics; optimal noise tolerance in decoding. = ⇒ No dependence on the form of m.

Key Ideas

1 In algorithms, use tensorial representations of ring elements.

✔ No reduction modulo Φm(X) — in fact, don’t need Φm(X) at all!

2 In analysis, use canonical embedding to define geometry.

6 / 12

Our Contributions

A toolkit of simple, fast algorithms and tight error analyses for working with ring-LWE in arbitrary cyclotomics Fast Algorithms: ring operations (+, ·); noise generation & decoding; conversions among the best representations for each task. = ⇒ Runtimes: O(n) per prime divisor of m, or O(n log n). Tight Analysis: same noise growth and worst-case hardness in all cyclotomics; optimal noise tolerance in decoding. = ⇒ No dependence on the form of m.

Key Ideas

1 In algorithms, use tensorial representations of ring elements.

✔ No reduction modulo Φm(X) — in fact, don’t need Φm(X) at all!

2 In analysis, use canonical embedding to define geometry. 3 Use decoding basis of dual ideal R∨ for noise generation & decoding.

✔ Corresponds to the “true” definition of ring-LWE.

6 / 12

Tensorial Decomposition and the “Powerful” Basis

◮ Recall: Φp(X) = 1 + X + · · · + Xp−1 and Φpe(X) = Φp(Xpe−1).

7 / 12

Tensorial Decomposition and the “Powerful” Basis

◮ Recall: Φp(X) = 1 + X + · · · + Xp−1 and Φpe(X) = Φp(Xpe−1).

Ancient Theorem [Kummer, 1840s]

◮ Let m =

ℓ mℓ be the prime-power factorization of m.

Then the mth cyclotomic ring R = Z[X]/Φm(X) is isomorphic to the tensor product of all the mℓth cyclotomic rings: R ∼ = Z[X1, X2, . . .]/(Φm1(X1), Φm2(X2), . . .). Isomorphism identifies Xℓ with Xm/mℓ.

7 / 12

Tensorial Decomposition and the “Powerful” Basis

◮ Recall: Φp(X) = 1 + X + · · · + Xp−1 and Φpe(X) = Φp(Xpe−1).

Ancient Theorem [Kummer, 1840s]

◮ Let m =

ℓ mℓ be the prime-power factorization of m.

Then the mth cyclotomic ring R = Z[X]/Φm(X) is isomorphic to the tensor product of all the mℓth cyclotomic rings: R ∼ = Z[X1, X2, . . .]/(Φm1(X1), Φm2(X2), . . .). Isomorphism identifies Xℓ with Xm/mℓ.

The Powerful Basis

◮ It’s the natural Z-basis {Xj1

1 Xj2 2 · · ·} = ℓ{Xjℓ ℓ }, 0 ≤ jℓ < ϕ(mℓ).

7 / 12

Tensorial Decomposition and the “Powerful” Basis

◮ Recall: Φp(X) = 1 + X + · · · + Xp−1 and Φpe(X) = Φp(Xpe−1).

Ancient Theorem [Kummer, 1840s]

◮ Let m =

ℓ mℓ be the prime-power factorization of m.

Then the mth cyclotomic ring R = Z[X]/Φm(X) is isomorphic to the tensor product of all the mℓth cyclotomic rings: R ∼ = Z[X1, X2, . . .]/(Φm1(X1), Φm2(X2), . . .). Isomorphism identifies Xℓ with Xm/mℓ.

The Powerful Basis

◮ It’s the natural Z-basis {Xj1

1 Xj2 2 · · ·} = ℓ{Xjℓ ℓ }, 0 ≤ jℓ < ϕ(mℓ).

◮ It is not the “power” basis {1, X, X2, . . . , Xϕ(m)−1} of Z[X]/Φm(X). E.g., for m = 15 it’s {Xj} for j ∈ {0, 3, 5, 6, 8, 9, 11, 14}.

7 / 12

If You Remember Only One Thing From This Talk. . .

Tensorial decomposition with the powerful basis is algebraically, computationally, and geometrically preferable to Z[X]/Φm(X) with the power basis.

8 / 12

If You Remember Only One Thing From This Talk. . .

Tensorial decomposition with the powerful basis is algebraically, computationally, and geometrically preferable to Z[X]/Φm(X) with the power basis. Algebra: Exposes fine-grained structure of the ring and its relationships with other cyclotomic rings.

8 / 12

If You Remember Only One Thing From This Talk. . .

Tensorial decomposition with the powerful basis is algebraically, computationally, and geometrically preferable to Z[X]/Φm(X) with the power basis. Algebra: Exposes fine-grained structure of the ring and its relationships with other cyclotomic rings. E.g.: has applications in “ring-switching” [GHPS’12] and new bootstrapping [AP’13] algorithms for FHE.

8 / 12

If You Remember Only One Thing From This Talk. . .

Tensorial decomposition with the powerful basis is algebraically, computationally, and geometrically preferable to Z[X]/Φm(X) with the power basis. Algebra: Exposes fine-grained structure of the ring and its relationships with other cyclotomic rings. E.g.: has applications in “ring-switching” [GHPS’12] and new bootstrapping [AP’13] algorithms for FHE. Algorithms: Efficiently reduces all operations to the prime-power case, by dealing with each Xℓ independently.

8 / 12

If You Remember Only One Thing From This Talk. . .

Tensorial decomposition with the powerful basis is algebraically, computationally, and geometrically preferable to Z[X]/Φm(X) with the power basis. Algebra: Exposes fine-grained structure of the ring and its relationships with other cyclotomic rings. E.g.: has applications in “ring-switching” [GHPS’12] and new bootstrapping [AP’13] algorithms for FHE. Algorithms: Efficiently reduces all operations to the prime-power case, by dealing with each Xℓ independently. E.g.: simple, fast conversions to/from “evaluation (CRT) representation,” via sequence of prime-power FFTs.

8 / 12

If You Remember Only One Thing From This Talk. . .

Tensorial decomposition with the powerful basis is algebraically, computationally, and geometrically preferable to Z[X]/Φm(X) with the power basis. Algebra: Exposes fine-grained structure of the ring and its relationships with other cyclotomic rings. E.g.: has applications in “ring-switching” [GHPS’12] and new bootstrapping [AP’13] algorithms for FHE. Algorithms: Efficiently reduces all operations to the prime-power case, by dealing with each Xℓ independently. E.g.: simple, fast conversions to/from “evaluation (CRT) representation,” via sequence of prime-power FFTs. Geometry: Norms, singular values, Gram-Schmidt orthogonalization, dual basis, etc. all behave well under tensoring.

8 / 12

If You Remember Only One Thing From This Talk. . .

Tensorial decomposition with the powerful basis is algebraically, computationally, and geometrically preferable to Z[X]/Φm(X) with the power basis. Algebra: Exposes fine-grained structure of the ring and its relationships with other cyclotomic rings. E.g.: has applications in “ring-switching” [GHPS’12] and new bootstrapping [AP’13] algorithms for FHE. Algorithms: Efficiently reduces all operations to the prime-power case, by dealing with each Xℓ independently. E.g.: simple, fast conversions to/from “evaluation (CRT) representation,” via sequence of prime-power FFTs. Geometry: Norms, singular values, Gram-Schmidt orthogonalization, dual basis, etc. all behave well under tensoring. E.g.: powerful basis is better-conditioned than power basis.

8 / 12

Geometry of the Ring

◮ Consider R = Z[X]/Φp(X) with power basis {1, X, X2, . . . , Xp−2}.

9 / 12

Geometry of the Ring

◮ Consider R = Z[X]/Φp(X) with power basis {1, X, X2, . . . , Xp−2}. ◮ Geometrically, associating elements with their coeff vectors is strange: Xj ← → (0, . . . , 0, 1, 0, . . . , 0), (j = 0, . . . , p − 2) Xp−1 ← → (−1, −1, . . . , −1)

9 / 12

Geometry of the Ring

◮ Consider R = Z[X]/Φp(X) with power basis {1, X, X2, . . . , Xp−2}. ◮ Geometrically, associating elements with their coeff vectors is strange: Xj ← → (0, . . . , 0, 1, 0, . . . , 0), (j = 0, . . . , p − 2) Xp−1 ← → (−1, −1, . . . , −1) We want a basis-independent geometry.

9 / 12

Geometry of the Ring

◮ Consider R = Z[X]/Φp(X) with power basis {1, X, X2, . . . , Xp−2}. ◮ Geometrically, associating elements with their coeff vectors is strange: Xj ← → (0, . . . , 0, 1, 0, . . . , 0), (j = 0, . . . , p − 2) Xp−1 ← → (−1, −1, . . . , −1) We want a basis-independent geometry. ◮ The canonical embedding σ: R → Cp−1 evaluates at all roots of Φp: σ(e(X)) =

• e(ω1

p), e(ω2 p), . . . , e(ωp−1 p

)

• 9 / 12

Geometry of the Ring

◮ Consider R = Z[X]/Φp(X) with power basis {1, X, X2, . . . , Xp−2}. ◮ Geometrically, associating elements with their coeff vectors is strange: Xj ← → (0, . . . , 0, 1, 0, . . . , 0), (j = 0, . . . , p − 2) Xp−1 ← → (−1, −1, . . . , −1) We want a basis-independent geometry. ◮ The canonical embedding σ: R → Cp−1 evaluates at all roots of Φp: σ(e(X)) =

• e(ω1

p), e(ω2 p), . . . , e(ωp−1 p

)

• Define all geometric quantities using σ: e.g., e2 := σ(e)2.

9 / 12

Geometry of the Ring

◮ Consider R = Z[X]/Φp(X) with power basis {1, X, X2, . . . , Xp−2}. ◮ Geometrically, associating elements with their coeff vectors is strange: Xj ← → (0, . . . , 0, 1, 0, . . . , 0), (j = 0, . . . , p − 2) Xp−1 ← → (−1, −1, . . . , −1) We want a basis-independent geometry. ◮ The canonical embedding σ: R → Cp−1 evaluates at all roots of Φp: σ(e(X)) =

• e(ω1

p), e(ω2 p), . . . , e(ωp−1 p

)

• Define all geometric quantities using σ: e.g., e2 := σ(e)2.

Nice Features of the Canonical Embedding

✔ Xj∞ = 1 and Xj2 = √p − 1 for all j.

9 / 12

Geometry of the Ring

◮ Consider R = Z[X]/Φp(X) with power basis {1, X, X2, . . . , Xp−2}. ◮ Geometrically, associating elements with their coeff vectors is strange: Xj ← → (0, . . . , 0, 1, 0, . . . , 0), (j = 0, . . . , p − 2) Xp−1 ← → (−1, −1, . . . , −1) We want a basis-independent geometry. ◮ The canonical embedding σ: R → Cp−1 evaluates at all roots of Φp: σ(e(X)) =

• e(ω1

p), e(ω2 p), . . . , e(ωp−1 p

)

• Define all geometric quantities using σ: e.g., e2 := σ(e)2.

Nice Features of the Canonical Embedding

✔ Xj∞ = 1 and Xj2 = √p − 1 for all j. ✔ Under σ, both + and · are coordinate-wise: σ(a · b) = σ(a) ⊙ σ(b).

9 / 12

Geometry of the Ring

◮ Consider R = Z[X]/Φp(X) with power basis {1, X, X2, . . . , Xp−2}. ◮ Geometrically, associating elements with their coeff vectors is strange: Xj ← → (0, . . . , 0, 1, 0, . . . , 0), (j = 0, . . . , p − 2) Xp−1 ← → (−1, −1, . . . , −1) We want a basis-independent geometry. ◮ The canonical embedding σ: R → Cp−1 evaluates at all roots of Φp: σ(e(X)) =

• e(ω1

p), e(ω2 p), . . . , e(ωp−1 p

)

• Define all geometric quantities using σ: e.g., e2 := σ(e)2.

Nice Features of the Canonical Embedding

✔ Xj∞ = 1 and Xj2 = √p − 1 for all j. ✔ Under σ, both + and · are coordinate-wise: σ(a · b) = σ(a) ⊙ σ(b). Makes expansion very easy to analyze: e.g., a · b2 ≤ a∞ · b2.

9 / 12

Geometry of the Ring

◮ Consider R = Z[X]/Φp(X) with power basis {1, X, X2, . . . , Xp−2}. ◮ Geometrically, associating elements with their coeff vectors is strange: Xj ← → (0, . . . , 0, 1, 0, . . . , 0), (j = 0, . . . , p − 2) Xp−1 ← → (−1, −1, . . . , −1) We want a basis-independent geometry. ◮ The canonical embedding σ: R → Cp−1 evaluates at all roots of Φp: σ(e(X)) =

• e(ω1

p), e(ω2 p), . . . , e(ωp−1 p

)

• Define all geometric quantities using σ: e.g., e2 := σ(e)2.

Nice Features of the Canonical Embedding

✔ Xj∞ = 1 and Xj2 = √p − 1 for all j. ✔ Under σ, both + and · are coordinate-wise: σ(a · b) = σ(a) ⊙ σ(b). Makes expansion very easy to analyze: e.g., a · b2 ≤ a∞ · b2. ✔ Ring-LWE is provably hard with (spherical) Gaussian noise under σ.

9 / 12

Dual Ideal R∨ and Decoding Basis

◮ R = Z[X]/Φp(X) under embedding σ is a lattice in Cp−1. R = Z[X]/Φ3(X)

X0 X1

10 / 12

Dual Ideal R∨ and Decoding Basis

◮ R = Z[X]/Φp(X) under embedding σ is a lattice in Cp−1. ◮ Its dual R∨ has Z-basis {dj}, given by σ(dj) , σ(Xj′) = δj,j′. We call {dj} the decoding basis.

(It also has a tensor form. . . )

R = Z[X]/Φ3(X)

X0 X1 d0 d1

10 / 12

Dual Ideal R∨ and Decoding Basis

◮ R = Z[X]/Φp(X) under embedding σ is a lattice in Cp−1. ◮ Its dual R∨ has Z-basis {dj}, given by σ(dj) , σ(Xj′) = δj,j′. We call {dj} the decoding basis.

(It also has a tensor form. . . )

◮ R∨ is a (fractional) ideal, and pR∨ ⊆ R ⊆ R∨, with pR∨ ≈ R. R = Z[X]/Φ3(X)

X0 X1 d0 d1

R∨ R

d0 d1

10 / 12

Dual Ideal R∨ and Decoding Basis

◮ In “true” ring-LWE, errors are Gaussian over R∨.

11 / 12

Dual Ideal R∨ and Decoding Basis

◮ In “true” ring-LWE, errors are Gaussian over R∨. ◮ In decryption, we need to recover e ∈ R∨, given ¯ e = e mod qR∨.

11 / 12

Dual Ideal R∨ and Decoding Basis

◮ In “true” ring-LWE, errors are Gaussian over R∨. ◮ In decryption, we need to recover e ∈ R∨, given ¯ e = e mod qR∨. How: represent ¯ e in decoding basis with Zq-coeffs, then “lift” to Z.

11 / 12

Dual Ideal R∨ and Decoding Basis

◮ In “true” ring-LWE, errors are Gaussian over R∨. ◮ In decryption, we need to recover e ∈ R∨, given ¯ e = e mod qR∨. How: represent ¯ e in decoding basis with Zq-coeffs, then “lift” to Z.

Key Facts

◮ For short e ∈ R∨ (under σ), coeffs in decoding basis {dj} are small: e =

• j ejdj

(ej ∈ Z) = ⇒ |ej| =

• σ(e) , σ(Xj)
• ≤ e · √n.

11 / 12

Dual Ideal R∨ and Decoding Basis

◮ In “true” ring-LWE, errors are Gaussian over R∨. ◮ In decryption, we need to recover e ∈ R∨, given ¯ e = e mod qR∨. How: represent ¯ e in decoding basis with Zq-coeffs, then “lift” to Z.

Key Facts

◮ For short e ∈ R∨ (under σ), coeffs in decoding basis {dj} are small: e =

• j ejdj

(ej ∈ Z) = ⇒ |ej| =

• σ(e) , σ(Xj)
• ≤ e · √n.

◮ Moreover, |ej| are optimally small given “density” of R∨, because powerful basis {Xj} is optimally short given density of R.

11 / 12

Dual Ideal R∨ and Decoding Basis

◮ In “true” ring-LWE, errors are Gaussian over R∨. ◮ In decryption, we need to recover e ∈ R∨, given ¯ e = e mod qR∨. How: represent ¯ e in decoding basis with Zq-coeffs, then “lift” to Z.

Key Facts

◮ For short e ∈ R∨ (under σ), coeffs in decoding basis {dj} are small: e =

• j ejdj

(ej ∈ Z) = ⇒ |ej| =

• σ(e) , σ(Xj)
• ≤ e · √n.

◮ Moreover, |ej| are optimally small given “density” of R∨, because powerful basis {Xj} is optimally short given density of R. ◮ By contrast, such optimal decoding is not possible for R/qR, because R∨ lacks optimally short elements for its density.

11 / 12

Dual Ideal R∨ and Decoding Basis

◮ In “true” ring-LWE, errors are Gaussian over R∨. ◮ In decryption, we need to recover e ∈ R∨, given ¯ e = e mod qR∨. How: represent ¯ e in decoding basis with Zq-coeffs, then “lift” to Z.

Key Facts

◮ For short e ∈ R∨ (under σ), coeffs in decoding basis {dj} are small: e =

• j ejdj

(ej ∈ Z) = ⇒ |ej| =

• σ(e) , σ(Xj)
• ≤ e · √n.

◮ Moreover, |ej| are optimally small given “density” of R∨, because powerful basis {Xj} is optimally short given density of R. ◮ By contrast, such optimal decoding is not possible for R/qR, because R∨ lacks optimally short elements for its density. ◮ Bottom line: using R∨ is actually beneficial in applications!

(And “advanced” applications benefit even more from its algebraic properties.)

11 / 12

Concluding Thoughts

◮ The “right” choices of mathematical objects and representations (canonical embedding, R∨) (tensor bases) come together perfectly, yielding:

12 / 12

Concluding Thoughts

◮ The “right” choices of mathematical objects and representations (canonical embedding, R∨) (tensor bases) come together perfectly, yielding: provable hardness,

12 / 12

Concluding Thoughts

◮ The “right” choices of mathematical objects and representations (canonical embedding, R∨) (tensor bases) come together perfectly, yielding: provable hardness, fast algorithms,

12 / 12

Concluding Thoughts

◮ The “right” choices of mathematical objects and representations (canonical embedding, R∨) (tensor bases) come together perfectly, yielding: provable hardness, fast algorithms, tight analysis — no compromises.

12 / 12

Concluding Thoughts

◮ The “right” choices of mathematical objects and representations (canonical embedding, R∨) (tensor bases) come together perfectly, yielding: provable hardness, fast algorithms, tight analysis — no compromises. ◮ Much more in the paper: “regularity” lemma, (homomorphic) encryption schemes, implementation advice, . . .

12 / 12

Concluding Thoughts

◮ The “right” choices of mathematical objects and representations (canonical embedding, R∨) (tensor bases) come together perfectly, yielding: provable hardness, fast algorithms, tight analysis — no compromises. ◮ Much more in the paper: “regularity” lemma, (homomorphic) encryption schemes, implementation advice, . . . ◮ Implementations coming soon!

12 / 12

Concluding Thoughts

◮ The “right” choices of mathematical objects and representations (canonical embedding, R∨) (tensor bases) come together perfectly, yielding: provable hardness, fast algorithms, tight analysis — no compromises. ◮ Much more in the paper: “regularity” lemma, (homomorphic) encryption schemes, implementation advice, . . . ◮ Implementations coming soon!

Thanks!

Full version: ePrint #2013/293 http://eprint.iacr.org/2013/293

12 / 12